**No bounty** Fix Path traversal vulnerability on Snek Serv

[alromh87]

📊 Metadata *

Bounty was not set but still worth fixing and send trough huntr

The snekserve project is a directory listing server which is vulnerable against Directory Traversal, which may allow access to sensitive files and data on the server.
For example, requesting the following URL: /../../etc/passwd would result in /etc/passwd leaking.

Bounty URL: No bounty, just to get it fixed

⚙️ Description *

There is no path sanitization in the path provided making marscode vulnerable against path traversal through the ../ technique, leading to information exposure and file content disclosure.

💻 Technical Description *

Fixed by sanitizing any occurrence of ../, using regexp.

🐛 Proof of Concept (PoC) *

1. Start the server
   node index.js
2. Request private file from server
   curl -v --path-as-is http://127.0.0.1:8080/../../../../../../../../../../../etc/passwd
3. /etc/passwd will be displayed.

Proof of Fix (PoF) *

After fix Response code 400 Bad request is returned to user instead of restricted file conten

👍 User Acceptance Testing (UAT)

After fix functionality is unafected

[bbeale]

[Mik317]

LGTM 😄 🍰
Sorry for the late reply

Cheers,
Mik

[mufeedvh]

LGTM 👏🎉